Security

SAS 70 and Business Continuity Planning (BCM) | What you Need to Know

As a SAS 70 auditor, i’m often asked if Business Continuity and Disaster Recovery (or any of the other similar terms and phrases used) is part of the actual SAS 70 audit. In fairness, it is even though “technically” it does not fall into a scope of a SAS 70 Type I or SAS 70 Type II audit. How’s that, you ask? Simple, according to the AICPA publication on Statement on Auditing Standard No. 70, “plans” such as BCDRP, BCM, etc. are not “controls” thus they are not considered to be part of the audit. Now, that’s the technical understanding. To be blunt, in today’s post 9/11 world we live in, Business Continuity is very much part of any service organization’s critical infrastructure, and as such, many CPA firms actually “test” to ensure an organization has a Business Continuity plan and supporting documentation in place. And no, they don’t test the plan to see if it works, they simply validate that a documented BCM plan is in place.

In short, don’t be surprised if you find information in a SAS 70 Type I or Type II audit relating to BCM. It may be in the form of a control objective that was tested or it may simply be “additional information” provided by the service organization that is actually going through the audit.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

PCI DSS Compliance and the Major Payment Brands | What you may NOT Know

Merchants and service providers seeking to become Payment Card Industry Data Security Standards (PCI DSS) compliant may not actually know that the five (5) major payment brand also have their own security risk management and compliance programs. However, rest assured that, by and large, these security risk management and compliance programs are essentially “encapsulated” into the overall PCI DSS framework for purposes of compliance.

Thus, with that said, here they are:

AMEX: Its the “American Express Data Security Operating Policy” (DSOP)
Discover: Its the “Discover Information Security Compliance” (DISC)
JCB: Its the “Data Security Program”
Mastercard: Its the “Site Data Protection” (SDP)
VISA: Its the “Cardholder Information Security Program” (CISP)

So, to learn more about these five requirements, simply “google” the respective programs and you’ll find some very interesting (and hopefully useful) information. These payment brand programs include tracking and enforcement provisions, penalties, fees and compliance deadlines along with other essential information.

To learn more about PCI DSS compliance, visit the official PCI Resource Guide.

SAS 70 Audits | How Expensive are They and What is the true Cost?

As a SAS 70 auditor for a nationally recognized boutique CPA firm, i can honestly attest to the fact that SAS 70 pricing is still all over the map. I hear of SAS 70 Type I audits costing as little as $12,000 to SAS 70 Type II reports costing as much as $70,000. That’s not too say these prices are “incorrect”, rather, you have to try and understand the true “scope” of the audit and what is actually being covered in the SAS 70 Type I or SAS 70 Type II audit. Remember, there is without question a baseline cost involved in every SAS 70, but the scope of the audit is what will ultimately determine the fee for a Type I or a Type II audit.

If you want to learn more about pricing for SAS 70 audits along with other essential auditing information concerning Type I and Type II audits, then visit the official SAS 70 Resource Guide, where a wealth of information is provided on Statement on Auditing Standards No. 70 (SAS 70).

And remember, the lowest fee is by no means the best fee for your organization. Pricing alone should not dictate who you would use to conduct your SAS 70 Type I or Type II audit.

PCI DSS Roadmap to Compliance | Phase I

Merchants and service providers seeking to become Payment Card Industry Data Security Standards (PCI DSS) compliant, will need to embark on a structured “PCI DSS Roadmap to Compliance” for ensuring a seamless and transparent process. So what does this really mean and entail? It essentially requires all organizations to follow a path for PCI DSS compliance that is scalable, efficient, and gets you the results you need.

With that said, the first phase to undertake for any PCI DSS assessment is essentially a Readiness Assessment. This is a vital process that must always be the first step to undertake. In this phase, your organization will essentially identify the “who, what, where, and why” of the PCI DSS cardholder data environment. You will come to understand what the essential scope of the overall PCI DSS assessment will be, what “system components” are included in the scope of the assessment, and most importantly, what gaps or remediation activities have been found that will need to be corrected. To learn more about PCI DSS compliance, visit the official PCI DSS resource guide.

PCI DSS Compliance for Service Providers | A Growing Trend

PCI DSS compliance for service providers is growing at quite an astonishing rate, to say the least. One of the biggest contributors is that of data centers, co-location facilities, and other types of organizations providing managed services. In short, they are quickly being identified as “in scope” and in the loop in regards to storing, processing or transmitting cardholder data. Compliance for many of these service providers is not as explicit as it is for merchants; this due in large part to the unique service offerings provided by each respective service provider themselves.

Listed below are some common examples of Service Providers that are now being requested to become Payment Card Industry Data Security Standards (PCI DSS) compliant:

Transaction Processors
Payment Gateways
Web Hosting companies
Data Centers
Managed Service providers.

And the major payment brands have varying terms for what they actually call a service provider. Some are called a “Third Party Processor”, a “Data Storage Entity”, or a “Payment Service Provider”.

Two things to remember: First, compliance for service providers will continue to grow, and rapidly. Second, storing, processing, or transmitting data in any type of capacity will immediately place you under the category of a merchant or a service provider.

Visit the official PCI DSS Resource Guide to learn more about PCI compliance.

PCI DSS | SAS 70 | Finding Resources to Learn about Compliance

PCI DSS and SAS 70 Type I and Type II audits are a mainstay in today’s regulatory arena. As such, i’m often asked what are some of the best resources available to learn about the Payment Card Industry Data Security Standards (PCI DSS) initiative and the SAS 70 audit requirements.

PCI DSS
pcisecuritystandards is the official site for PCI DSS compliance. It was put forth by the Payment Card Industry Security Standards Council, commonly known as the PCI SSC. The major payment brands have effectively endorsed the PCI DSS standards, thus you can learn all you need to know about PCI DSS by visiting their site. The left column gives you quick links to all the important PCI DSS information. Their are also some very helpful forums such as pcianswers and pcidssguru. These sites are managed by industry veterans in the Payments Industry and they give you unbiased and straight answers to any questions you may have.

SAS 70
The official AICPA website offers little in the way of education on SAS 70 audits. They do sell a book on SAS 70, but it is primarily geared towards auditors and is written in a technical manner. The other solution is to visit the Official SAS 70 Resource Guide, where you can watch training videos and learn all aspects of SAS 70 Type I and Type II audits.

PCI DSS and Data Centers | Tips for Compliance

Payment Card Industry Data Security Standards (PCI DSS) compliance for data centers is here to stay, thus your facility should be prepared to undergo the PCI DSS assessment in a cost-effective and efficient manner. Here are some tips for PCI DSS compliance for data centers.

1. PCI DSS compliance is NOT just limited to Appendix A of the PCI DSS requirements.
2. Conduct a PCI DSS Readiness Assessment for truly understanding the scope of the engagement for compliance.
3. Make sure you have policy and procedural documentation in place as this is a very large and time consuming effort for any organization, especially data centers.
4. Understand the requirements for quarterly scanning and penetration testing and what is in scope for the PCI DSS assessment.
5. Correctly SCOPE the assessment. This sounds like an easy process, but it can become quite complex with all the products and services (managed services) that data centers offer for businesses today.
6. Understand the initial “roadblocks” which many service providers run into, such as having to implement two-factor authentication for remote access into the production environment along with having password requirements for all system components that fall within the scope of the actual PCI DSS assessment. (These are just two of the many roadblocks that organizations encounter).
7. Find a competent, well-qualified QSA to assist with all your compliance needs.

Visit the official PCI DSS Resource Guide to learn about PCI DSS compliance.

SAS 70 Audits for Data Centers | Why the Trend will Continue

SAS 70 audits have quickly become a high priority for data centers, co-location entities and managed service providers as of late. And there are plenty of reasons why this trend will continue go grow. The number of organizations that have buried the client server architecture is growing every day, resulting in a huge surge for data centers. In fact, most quality data centers in the United States are having little or no challenges in filling up their data center floor space. From traditional ping, power and pipe to fully managed services, data centers are becoming a necessity for most businesses today. As a result of this, their respective compliance requirements will continue to expand also. From SAS 70 to PCI DSS, just to name a few, data centers are being hit hard with the regulatory compliance bug.

Add to the fact that many data centers are now physically housing sensitive health care and financial information for many of their clients. As such, client requests for the security, confidentiality and integrity of this data are being validated via SAS 70 Type II audits. This “trend” if you want to call it that, will become a mandatory requirement for any data center seeking to grow and prosper in the coming years.

Visit the official SAS 70 Resource Guide to learn more about SAS 70 Type I and Type II audits.

GLBA and Data Centers | Tips for Compliance

GLBA Privacy Rule
Protecting the privacy of consumer information held by “financial institutions” and other third party vendors and service providers that provide “support services” to these “financial institutions” is at the heart of the financial privacy provisions of the Gramm-Leach-Bliley Financial Modernization Act of 1999. The GLB Act requires companies to give consumers privacy notices that explain the institutions’ information-sharing practices. In turn, consumers have the right to limit some - but not all - sharing of their information.

The GLB Act applies to “financial institutions” and other third party vendors and service providers; companies that offer and support financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission has authority to enforce the law with respect to “financial institutions” that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors. At the same time, the FTC’s regulation applies only to companies that are “significantly engaged” in such financial activities, such as DATA CENTERS.

The law requires that financial institutions protect information collected about individuals; it does not apply to information collected in business or commercial activities.

Consumers and Customers
A company’s obligations under the GLB Act depend on whether the company has consumers or customers who obtain its services. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. A customer is a consumer with a continuing relationship with a financial institution. Generally, if the relationship between the financial institution and the individual is significant and/or long-term, the individual is a customer of the institution. For example, a person who gets a mortgage from a lender or hires a broker to get a personal loan is considered a customer of the lender or the broker, while a person who uses a check-cashing service is a consumer of that service.

Thus, in short data centers may very well be called upon to become GLBA compliant via an audit or assessment process. My advice, find a competent SAS 70 auditor who can help incorporate GLBA tests into a SAS 70 or find a competent GLBA auditor.

HIPAA Privacy Rule | Attention Data Centers | Are you HIPAA Compliant?

First it was SAS 70, then PCI, now HIPAA is fast becoming a requirement for data centers. Here’s what you need to know about the HIPAA Privacy Rule.

An electronic medical record (EMR) is usually a computerized legal medical record created in an organization in which the health information system allows storage, retrieval and manipulation of these respective records.

Electronic medical records, similar to that of hard copy medical records, must be kept in unaltered form and authenticated by the creator. Under data protection legislation, such as HIPAA, responsibility for patient records (irrespective of the form they are kept in) is always on the creator along with one of many custodians of the records, usually a health care practice, facility, or entity, such as DATA CENTERS.

Privacy Rule: The HIPAA Privacy Rule regulates the use and disclosure of certain information held by “covered entities”, which includes health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions. It establishes regulations for the use and disclosure of Protected Health Information (PHI).
Although HIPAA was enacted in 1996, the enforcement of the Privacy Rule began in 2003. The Privacy Rule mandates the following:

• Regulates the use and disclosure of protected health information by health plans, health care clearinghouses, and health care providers who transmit financial and administrative transactions electronically.
• Establishes a set of basic consumer protections
• Permits any person to file an administrative complaint for violations
• Authorizes the imposition of civil or criminal penalties.

If your data center needs to be compliant with HIPAA, then find a competent auditor to assist you.